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problems for a transponder on a vehicle that may occur in case 
of using debiting functions in the transponder. 

A third aim of the invention is to provide a solution that 
5 allows an accurate measurement of the position of the 

transponder as well as that the transponder is communicated 
with data. 

A fourth aim of the invention is to enable an off line 
10 function, i e that the system shall not have to call a central 
to match the data code of the transponder with a personal code 
related to the driver of the vehicle and/ or the fuelling place. 

A fifth aim of the invention is to enable also the debiting in 
15 itself off line, i e without having to call a central. 

A sixth aim of the invention is to enable updating and reading 
of the transponder both at the fuelling robot and at other 
places in a way which is acceptable from a security point of 

2 0 view . 

■ 

Description of the invention 

The present invention thus relates to a system for debiting at 
25 automatic fuelling of vehicles, where a microwave transponder 
close to the filling point of the vehicle is used for 
positioning of a fuelling robot by position measurement with a 
sensor in the moving arm of the robot, and is characterized in 
that the transponder also is arranged to contain information 

3 0 concerning debiting related to the filling, and that a code 

read through the sensor from the transponder thereby is matched 
with data from a sensor unit for identification of the owner or 
the driver of the vehicle. 

* 

35 With owner or driver is meant in the description and the 
claims, except for the owner or the driver a person who is 
authorized to fuel the vehicle and thereby cause that an 
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account or the like is debited* 

According to the invention a microwave transponder 

(0,9 - 25 GHz) mounted close to the filling point of the 

5 vehicle has been designed so that it both can be carefully 

measured with respect to its position, and also that it can be 
read with respect to its data contents, and possibly also that 
it can be reprogrammed. A preferred embodiment of the 
transponder consists in that at certain times it gives away a 

10 measurement signal, and at other instants communicates with a 
data signal. By a thus repeated and time sequential 
measurement/ communication a solution is obtained where the 
respective signals can be optimized for their purpose. 

15 According to the invention, an active and unique action of the 
driver of the vehicle is required, alternatively that a 
biometrical sensing of the driver is made, whereby a higher 
level system ties together the information from the driver with 
the information that has been stored/ is stored in the 

20 transponder. In this way there is no longer any demand to steal 
the transponder, since a violator with great certainty is not 
able to repeat the identification of the driver, and he can 
thereby not make any use of a stolen transponder. 

25 The identification of the driver is in a preferred embodiment 

made such that the driver keys in a PIN code (Personal 
Identification Number) in a keyboard close to the side window 
'of the vehicle, but can also make use of so called biometrical 
methods such as speech/ voice recognition, where the driver 

30 talks in a code via a microphone close to the vehicle. Other 

biometrical methods include that the driver enters his finger 
in a sensing unit for fingerprints close to the vehicle, 
alternatively that the shape of the palm of the hand is sensed. 

35 In still another embodiment the driver uses a code transmitter 

or an electronic reflecting data carrier to transfer an 
identification signal. Alternatively an object belonging to the 
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driver, such as a card with an optical code, can be used for 
the identification. 

All the mentioned methods can be used without the driver having 
5 to step out from the vehicle, and thereby give the desired 
comfort. 

The methods with biometry, code transmitter, data carrier and 
optical codes also have the advantage that a code does not have 
10 to be memorized. 

In a preferred embodiment the transponder can partly or 
completely be written with encrypted data. In this case the 
advantage of protection against viewing as well as protection 

15 against copying between different transponders is obtained, 
whereby the theft demand for the transponder is furthermore 
decreased. In addition the risk for unauthorized copying is 
reduced, e g with transponder data which with a portable reader 
is catched from a vehicle provided with a transponder on a 

20 parking place or the like. 

Information storage in the transponder is thereby made both in 
a read memory and in a write/read memory, whereby the read 
memory is only possible to write once, preferably during 
25 manufacturing of the transponder. 

The read memory is written with a code unique to each 
transponder, a so called mark, so that each unit is unique and 
can not be mixed up with others. Permanent writing methods are 
30 preferably used, e g in that memory circuits in the data chip 
of the transponder during manufacture are etched selectively 
with a laser or are burned by means of coded current pulses in 
a pattern individual to each transponder. 

• 

35 During writing of encrypted data in the transponder the 

information is encrypted together with the own unique mark of 
the transponder and possibly a random number, in that the mark 
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first is read into the unit that makes the encryption. In this 
way a unique encrypted code is created in the write/read memory 
of each transponder, even if the information in different 
transponders, e g the code for a certain fuel filling station, 
should be alike. This make it much more difficult for 
unauthorized viewing of the transponder and falsification of 
it. 

Another advantage with the encryption technique is that one 
does not have do distribute transponder lists to the filling 
stations, but only the system key that has been used for 
writing of the data carrier with its encrypted data. By aid of 
the system key the distributed communication units can 
automatically decide if the data carrier is valid or not, e g 
if a prepaid value stored in the transponder is large enough, 
if the transponder is valid at the filling place in question 
etc, without a central system having to be called. In this way 
communication costs, long response times and vulnerability of 
the system is avoided. Related debiting does not have to be 
made at the same time as the fuelling takes place, but can take 
place before or afterwards as desired. 

Nevertheless so called black lists can be distributed at a 
relatively low cost to the fuel filling stations, since they 
only contain a minor part of all transponders in the system, 
and then be locally verified against the unique mark of the 
transponder • 

• 

To show that the transponder is used by its right owner, the 
security may require that a special code, so called PIN code, 
is used during identification. The PIN code can according to 
the system described herein be stored in a secure way in 
encrypted form in the transponder and be compared with the code 
that is received from the owner at an entering unit localized 
close to the fuelling robot. Since the PIN code is encrypted, 
the security will be sufficient to permit the verification to 
take place locally and without calling. 
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■ 

A PIN code, however limits the flexibility in the 
identification since the person has to key it in at each 
instant. It can then be imagined that a PIN code is keyed in 
more seldom, e g once a month and at the fuelling place that is 
5 most often used. The validity period and a code for the special 
fuelling place is thereby written into the transponder in an 
encrypted way and can be valid for e g a month or a year. 

It will furthermore be more secure to store prepaid monetary 
10 values in the transponder, that can be debited each time 

fuelling takes place. The petrol station does then not have to 
make a call neither to check the PIN code nor to debit a 
central account, but can function off line. This is especially 
advantageous in less populated areas and in areas where the 
15 infrastructure of society is not well developed as regards 

handling of electronic payment transactions. 

Filling of a new amount into the transponder can take place at 
the instant of fuelling by the fact that the position sensor 
20 also changes transponder data according to an order from a bill 

counting machine, a bank etc according to the driver's 
instructions during fuelling, and where a credit card or a so 
called smart card can be used to authorize the transaction. 

25 The transponder contains in a special embodiment also a write 

memory that can not be read, and a fast encryption algorithm in 
hardware and without microprocessor. In the write memory in the 
transponder one then writes in a transponder key in the form of 
an encrypted number. The transponder key is created by the fact 

30 that, in the unit that makes the writing, the first read unique 

mark of the transponder is encrypted with a higher level system 
key. 

An advantage with the solution with transponder key and 
35 hardware algorithm is that the system can ensure that nobody 

can imitate the behaviour of the data carrier, that will become 
different from one communication instant to another. During 
identification, the communication unit sends a random number to 
the transponder. The transponder encrypts the random number 
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with the transponder key according to the encryption alghorithm 
built in in its hardware, and retransmits the encrypted random 
number and the mark to the communication unit. 

The communication unit can now with the mark, the system key 
and the random number calculate the transponder key and perform 
the same encryption as the data carrier to check that the 
response of the transponder is valid. 

A special advantage by not using a microprocessor is that the 
encryption procedure becomes faster, especially since no time 
is needed to serially feed data between the high frequency 
junction and the circuits of the microprocessor. Since the 
serial circuits can operate in synchronism with the high 
frequency signals, the communication time is considerably 
reduced • 

Another advantage by not having a microprocessor in the 
transponder is that it can be made much more lean on current, 
which gives smaller dimensions and lower cost at the same time 
as both speed and communication range will be good. 

A portable read/write unit can be used to update the data of 
the transponder. The portable unit can thereby stay in 
connection with a central via microwaves within a range of 
about hundred meters. 

Data intended for the transponder can comfortably and without 
wire be gathered from the central to the place where the 
vehicle is parked, and in the opposite way transponder data can 
be transferred from the transponder to the central. Since the 
encryption key thereby does not exist in the portable unit but 
is in a higher level system, the theft demand for the portable 
unit will be low. It can not be used in itself to read and 
interpret transponder data, but serves as a comfortable 
communication link for transponder data to and from each place 
within reach of the communication unit from the central. 



The portable unit can also, instead of via microwave 



WO 95/32919 



PCT/SE94/00508 



8 

communication, be connected to the central via a cable. 
Description of the drawings 

The invention shall now be described more in detail with 
reference to embodiments of the invention on the enclosed 
drawings , where 

Fig 1 shows a vehicle at an automatic fuel filling station, 
Fig 2 shows coding of a transponder , 

Fig 3 shows schematically encrypted writing and reading of a 
transponder , 

Fig 4 shows the corresponding writing and reading more in 
detail, and 

Fig 5 shows communication between transponder and central via 
a portable communication unit. 

Description of embodiments 

Figure 1 shows a vehicle 1 close to an automatic fuelling robot 
2. The robot has in the outer end of its movable arm 3 a sensor 

4, which is designed to measure the position of a transponder 

5, so that with guidance of the transponder it is able to guide 
its filling tube 6 to the filling place 7 of the vehicle. 

• 

Close to the vehicle 1 there is a sensor unit 10, which senses 
the result of a unique action by the driver or biometry, such 
as the keying in of a PIN code, voice expressions, 
fingerprints, hand palm pattern etc. 

The transponder 5 emits continuously, or repeated with certain 
time intervals, a modulation code 20 shown in fig 2, which 
comprises a phase and/or amplitude modulated reflex of a 
microwave signal radiated from the sensor 4, e g at 2,45 GHz. 
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The modulation of the transponder is suitably made without 
adding new energy to the signal,, in that the transponder from 
the output signal of the sensor 4 creates a modulated signal 
with information sidebands that are r eradiated to the sensor 
5 and are there mixed down to base band, e g 32 kHz, for further 

signal processing. 

The sensor can also, in a known way, by transmission of a pulse 
modulated microwave signal to the transponder update its data 
1 0 contents . 

In a special embodiment pulse modulation can also be used to 
activate the circuits in the transponder that are causing the 
side band modulation, while the circuits transfer to a resting 
15 state when the pulse modulation disappears. Since the 

transponder only to a smaller part of its time is in the field 
from a sensor, the total current consumption will therefore be 
less than if the modulation takes place continuously. 

20 In the embodiment every modulation code from the transponder is 

divided in a synchronizing/measurement sequence 21 and a data 
sequence 22. 

During the synchronizing/measurement sequence 21, phase 
25 comparison is made in the sensor so that angular error signals 

can be created and brought forward for steering of the robot. 

The measurement will be very accurate since the frequency and 

the phase of the transponder signal 21 during this time is 

controlled and unaffected by transponder data and therefore 
30 without uncontrolled spectrum widening. The signal is typically 

controlled from a crystal in the transponder unit, e g by a 

watch crystal with the frequency 32 768 Hz. 

During the communication sequence 22 data is transferred from 
35 the transponder to the sensor in the form of the signals 22a 

and 22b. In this case the sequence 21 is used for synchronizing 
of the decoding circuits in the robot that are to interpret the 
signal 22a and 22b. The transferred signals 22a and 22b can be 
coded in a number of different ways, e g according to FSK, 
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DFSK, PSK or DPSK. 

■ 

The signals 22a and 22b causes such a spectrum widening in the 
base band signal (e g around 32 kHz) that the precision of the 
measurement during the time 22 will be considerably reduced. 
This is, however, not a problem, since the measuring sequence 
21 is repeated often enough so that the robot can not move very 
far between each measuring instant. A typical intermediate time 
between two measurement sequences can e g be 100 ms, while the 
measuring sequence in itself can be in the order of 10 ms. 

When the robot has now measured the position of the transponder 
and has docked with the filling point of the vehicle, a 
verification is needed that the identity of the driver is 
fitting with data from the transponder. 

This takes place in the shown example in that the driver keys 
in a PIN code in the terminal 8 placed close to the side 
window. The higher level system has before that received 
information about which account that is to be debited, and 
which PIN code that is connected with the account can 
alternatively be gathered from a central that is called. 
Matching of the transponder code with the keyed in code leads 
to the fact that the robot can start its fuelling pump and 
complete the fuelling. The matching takes place by means of 
circuits including a microprocessor or computer belonging to 
the robot. 

In another embodiment voice entering is used, whereby a 
microphone 11 is applied at the sensor unit 10, to which a 
voice recognition system is connected. The interpretation of 
this system of the pronounced code of the driver, e g a PIN 
code in the form of a number of talked figures, is then matched 
with the transponder code. 

Still another embodiment is using identification with an 
optical sensor close to the vehicle that recognizes an object 
brought by the driver such as a card with a barcode or a 
dotcode. 
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The sensor unit can also be designed to receive signals from a 
code transmitter or an electronic data carrier that preferably 
operates in the visual, IR, radio or microwave range, 
alternatively operates with ultrasonic technology. 

In the transponder mounted on the vehicle also other 
information can be stored, such as about discounts, fuel 
quality etc, which is especially advantageous if the filling 
station is remotely located and a non called system therefore 
is used for the debiting. 

In the same way it is of advantage if a prepaid value has been 
stored in the field of the transponder field 22b, which value 
is read by the sensor unit 4, is modified according to the cost 
for the performed filling and is rewritten in the data field 
22b of the transponder. 

The above mentioned method to encrypt the transponder 
information can thereby be used, and then the transponder 
unique code field 22a is used as a so called mark, while the 
code field 22b is used for data and possible random 
information. 

The PIN code and/ or a balance related to the payment is then 
preferably pre programmed in the data field 22b of the 
transponder, whereby the data field of the transponder is 
encrypted with information from a transponder unique and not 
changeable code in the transponder 22a, an encryption key and 
possibly a random number. This technology is more accurately 
described in connection to figures 3 and 4, where the mark 22a 
corresponds to the field 47 and where the encrypted part of the 
data field 22b corresponds to the field 51. 

Information to the driver is given on a display unit 9, e g 
instructions for the debiting and information about remaining 
amount in the transponder in case it . is preprogrammed with 
money related information. The display unit can also be used in 
conjunction with the transponder being filled with a money 
related value via a bill reader, credit card, smart card or 
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other technology. 

The sensor unit 10 can thus include a keypad , microphone, video 
camera and image processing circuits, fingerprint detector, 
5 hand palm sensor, magnetic card reader, so called smart card 
reader, communication unit for code transmitter and data 
carrier etc. 

Figures 3 and 4 show writing and reading of an encrypted 
10 transponder according to the invention, although the embodiment 
with hardware algorithm in the transponder is not shown in 
figure. 

In figure 3 two communication units 41, 42 and a transponder 43 
15 are shown, where the first communication unit is used for 

encrypted writing of data into the transponder and the other is 
used for reading. The transponder thus brings encrypted 
information from one place to another and thereby constitutes a 
media. 

20 

The transponder is designed to be communicated with microwaves 
44, 45, so that during writing it is illuminated with a coded 
microwave signal 45, alternatively during reading emits a 
reflex 44 where data, without new energy having been added to 
25 the microwave signal, is modulated onto an illumination signal 
45 emitted from the communication unit, which during the 
modulation time is essentially continuous. The communication 
unit 41 can be a sensor 4 at a fuelling station with bill 

reader and/or credit card/ smart card reader, and the 

♦ 

30 communication unit 42 can be a sensor at a filling station 
which only is intended for filling of fuelling and not for 
filling money related amounts to the transponder. 

The memory of the data carrier, i e the memory of the 
35 transponder, comprises both a read only part 47 with a code 

unique for the data carrier, the so called mark, and a read and 
write part 48, a so called write/read memory, where variable 
data can be written. In the communication units 41, 42 there is 
also one and the same encryption key 49. 

40 
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Figure 4 shows an embodiment where at least a part 51 of the 
read/write memory 48 is readable from outside, and where the 
same data can be stored in different transponders despite that 
the bit pattern in the memory part 51 through said encryption 
is different from data carrier to data carrier. Encryption 
according to what is later mentioned about hardware key in the 
transponder can, but does not have to, be included in the 
transponder since all applications do not require this 
function. 

The first communication unit 41 is first reading the unique 
mark 47 and then encrypts the mark and the basic information 56 
in the write/read memory 51. 

When the same system key 49 is used in the second communication 
unit 42, user data 56 can be recovered 55 in that the mark 47 
then read from the transponder and the system key 49 are used 
for decryption of the encrypted information 52 that has been 
stored in the write/read memory 51 of the data carrier. 

In addition to what has been described so far, one can, in 
addition to mark 47 and system key 49 also make use of a random 
number 53 created in the first communication unit 41 during 
encryption of the information 52 to the memory part 51 of the 
transponder- In this case the recovered user data 55 are 
separated from the recovered random number after decryption. 
Normally the random number 54 is thrown away after recovery. 

Encrypted information in the memory 51 of the transponder can 
thus concern validity classed information intended to be varied 
only at certain communication instants r and then represents e g 
validity time, a PIN code, a geographical area or an authority 
class. It can also concern value related information intended 
to be varied at each communication instant, such as monetary 
value to be used for fuelling. 

The algorithm for writing of data in the transponder is 
normally of a symmetrical type, while an asymmetrical algorithm 
can be used for transferring of the system key in itself, 
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possible PIN code, debiting data etc over the ordinary 
telecommunication network. 

* 

This transfer then takes place between different communication 
units, alternatively between a called central and a 
communication unit. 

Figure 5 shows a portable communication unit 30 , which via 
microwaves at a relatively short distance can write and read 
information in the transponder 5 and at relatively large 
distance also can communicate this information with a central 
31. Because the communication unit is designed fully 
transparent for data, it is obtained that the encryption key 
does not have to be in the portable unit whereby the theft 
demand for it is reduced. 

The communication unit can also be connected to the central via 
a serial line 32 instead of, or as a complement to, the earlier 
described microwave connection. 
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CLAIMS 

1. System for debiting at automatic fuelling of vehicles, where 
a microwave transponder (5) close to the filling point of the 
vehicle is used for positioning of a fuelling robot (2) by 
position measurement with a sensor (4) in the movable arm (3) 
of the robot, characterized in that the transponder also is 
intended to contain information concerning the debiting related 
to the filling, and that a code (22) read via the sensor from 
the transponder thereby is matched with data from a 
registration unit (10) for identification of the owner or 
driver of the vehicle. 

2 .System according to claim l, characterized in that said 
identification is made by recognition of a driver unique action 
such as entering of a PIN code and/or in that the biometrical 
properties of the driver are sensed and/ or in that information 
from an object brought with the driver is sensed. 

3. System according to claim 1 or 2, characterized in that the 
input means of the sensor unit comprises a keypad (8) for 
entering of PIN code, a voice and/or speech recognition 
equipment with microphone (11) , a fingerprint detector or a 
hand palm sensor. 

4 .System according to claim 1 or 2, characterized in that an 
optical sensor close to the vehicle recognizes an object 
brought with the driver such as a card with barcode or dot code 
upon it. 

■ 

5. System according to any of the previous claims, 
characterized by that a sensor close to the vehicle interprets 
signals from a code transmitter or electronic data carrier 
brought by the driver, where the brought unit operates in the 
visual, IR, radio or microwave area, alternatively functions 
with ultrasonic technique. 

6. System according to any of the previous claims, 
characterized by that the transponder, with or without time 
intervals, emits a synchronising/measuring sequence (21) with 
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controlled frequency and phase for measurement of the position 
of the transponder, and also emits a communication sequence 
(22) in which information about an account related to the 
debiting has been stored. 

7. System according to any of the previous claims , 
characterized in that the PIN code and/or an account related to 
the payment or balance are stored in a write/read memory (48) 
in the data field 22b of the transponder, and that the whole or 
part of the transponder data field (51) is encrypted with 
information from a unique and not changeable code in the 
transponder (22a; 47), an encryption key (49) and possibly a 
random number (53) . 

8. System according to any of the previous claims, 
characterized in that the data field (48) of the transponder 
before the filling of fuel contains information about a 
prepaid amount, that after the fuel filling is modified by 
rewriting of a correspondingly changed amount in the data 
field. 

9. System according to any of the previous claims, characterized 
in that the transponder is designed to receive a random number 
and from this and a memory possible to write but not readable 
in the transponder according to a hardware algorithm in the 
transponder calculate a number (transponder key) , emit this and 
its mark, and where the system reads the emitted information 
and by a control calculation confirms the information of the 
transponder despite that its emitted information varies from 
one instant to another since the random number varies. 

10. System according to any of the previous claims, 
characterized by that it also includes a portable communication 
unit (30), that via microwaves can write and rad information in 
the transponder (5) , and where the portable unit via microwaves 
or cable also can communicate the transponder information with 
a central (31) . 

11. System according to any of the previous claims, 
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characterized by that the communication unit (30) can transfer 
encrypted information between the transponder and the central 
without that any encryption key exists in the communication 
unit. 
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